-
Tom Prince authored
Note that changing the origin repository in the on-node deployment checkout is also required. See https://whetstone.private.storage/privatestorage/privatestorageops/-/merge_requests/197#note_19071
Tom Prince authoredNote that changing the origin repository in the on-node deployment checkout is also required. See https://whetstone.private.storage/privatestorage/privatestorageops/-/merge_requests/197#note_19071
bootstrap-configuration.nix 5.66 KiB
#
# This is a bare-bones configuration that can be edited slightly and then
# dropped on a 100TB machine that is being crossgraded to NixOS. It is
# tailored to the specific hardware choices made for our machines at 100TB and
# 100TB's network configuration. The goal is to configure a system *enough*
# that a better tool (eg morph) can take over.
#
# 1. Customize the variables below this comment.
#
# 2. Overwrite /etc/nixos/configuration.nix on Debian machine that has had
# NixOS installed on top of it.
#
# 3. Copy the generated /etc/nixos/hardware-configuration.nix from the Debian
# machine and add it to this repository. We need it to build the system
# later.
#
# 4. Finish the NixOS install and reboot into a pristine NixOS system.
#
# 5. Specify the real configuration for this system and deploy it with morph.
#
let
# Make all these correct. Some default values from a random system left in
# place as examples.
# You can probably find this interface using `ip addr` on the target system
# while it's still running Debian. Pick the interface that has the public
# address assigned.
interface = "eno1";
# You probably just know what the public address is. Make sure this agrees
# with what you see in `ip addr` though.
publicIPv4 = "69.36.183.24";
# You'll find this on the address in the `ip addr` output. eg:
#
# 3: wlp4s0: ...
# ...
# inet 69.36.183.24/24 ...
# ^^ See?
#
prefixLength = 24;
# This is the default gateway address. You can find it with `ip route` on
# the target system.
gateway = "69.36.183.1";
# And the gateway itself is reachable on a particular interface. Most
# likely the same as the interface above but I don't know if this is
# guaranteed. Look at the `ip route` output to be sure.
gatewayInterface = "eno1";
# The unique disk identifier where grub should be installed. This should
# probably be sda. You can find this value by looking for the
# wwn-... symlink to sda in /dev/disk/by-id/. For example:
#
# $ ls -l /dev/disk/by-id/
# lrwxrwxrwx 1 root root 9 Aug 29 08:09 wwn-0x5002538d414bf195 -> ../../sda
#
# Be sure to pick the disk identifier and not the identifier of one of the
# partitions!
grubDeviceID = "wwn-0x5000c500936410b9";
# This is whatever ssh public key is appropriate at the time. I'm leaving
# mine here for now.
rootPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon";
# Stop! I hope you're done when you get here. If you have to modify
# anything below this point the expression should probably be refactored and
# another variable added controlling whatever new thing you need to control.
# Open an issue: https://whetstone.private.storage/privatestorage/PrivateStorageio/-/issues/new?issue
in
# Define a function that ignores all its arguments. We don't need any of them
# for now.
{ ... }:
{
# Load the hardware configuration for this host. This is generated by
# nixos-generate-config on the target host. There is no such file checked
# in to the repository because it necessarily varies from host to host. For
# example, it includes the disk id of the root partition. We just rely on
# the tool to generate the correct configuration and then we load it from
# here.
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Configure the bootloader how we like.
boot.loader.timeout = 10;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/${grubDeviceID}";
# Let me in to do subsequent configuration. This makes the machine wide
# open. We might consider locking this down a bit more. For example, we
# should only need SSH access for the next step. However, there's basically
# nothing else on the system right now so it's not an extreme risk to just
# turn off the firewall. Initially this was the approach to make sure I
# wouldn't get locked out of a system working perfectly well but with an
# overly restrictive firewall (since that case basically makes the machine a
# brick to me).
networking.firewall.enable = false;
# Also, turn on the OpenSSH server so I (morph, really) can log in and make
# further changes.
services.openssh.enable = true;
# Grant root access to the holder of the configured key. We don't bother
# setting a password because keys are better. We also don't configure any
# additional users because that will happen later.
users.users.root.openssh.authorizedKeys.keys = [
rootPublicKey
];
# Provide the static network configuration. 100TB doesn't use DHCP so turn
# off our client.
networking.dhcpcd.enable = false;
# Put the configured address on the configured interface.
networking.interfaces = {
"${interface}".ipv4.addresses = [
{ address = publicIPv4; inherit prefixLength; }
];
};
# And set up the configured route as the default.
networking.defaultGateway = {
address = gateway;
interface = gatewayInterface;
};
# I don't know if 100TB provides nameservers but these are pretty safe in
# general. This may not be strictly required to get the NixOS install
# bootable but a lot of tools have a dependency on being able to resolve
# names (for example, the Nix system configuration tool).
networking.nameservers = [
"4.2.2.1"
"8.8.8.8"
];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "19.03"; # Did you read the comment?
}